Fixed Vulnerable Items are not changing to closed status even after detected closed/fixed by Qualys?

AndrewP · ‎05-05-2021

I am finding multiple vulnerable items that are remaining in Open status, even after Qualys no longer detects them. The Vulnerable Item Detection (DET#) shows them with a Status of Closed and a Source Status of Fixed, however the VIT# still shows as Open.

I believe the logic needed to update is in DetectionBase (QualysHostImportReportProcessor > Detection > DetectionBase). I have seen mention of Detection, but the bulk of the logic is in DetectionBase.

We are using VR version 12.1.4

Chris McDevitt · ‎05-06-2021

Hi,

First up, avoid customization to the Scripts Includes like the plague.

Second, keep an eye on the June Store release of VR and upgrade. (but if you customize the VR SI then it is much harder to upgrade....).

Third, take advantage of the "Close Stale Vulnerabilities"

https://docs.servicenow.com/bundle/quebec-security-management/page/product/vulnerability-response/task/vr-autoclosevi.html

And Auto delete rules:

https://docs.servicenow.com/bundle/quebec-security-management/page/product/vulnerability-response/task/enable-auto-del-vi-vg.html

Fourth,

Take a look at the VI's that are not closing. Drill down into the Detections. Are you seeing one Detection closed and another open? (one or more). Add "Detection Key" to the list view on the Detections list (related list). Are the keys different? Take a look at the Proof. Are they different? If the answer is yes, then this is most likely the issue. Again keep an eye on the June Store release.

It is hard to remote diagnose.... so...

View solution in original post

Ashutosh Munot1 · ‎05-07-2021

HI,

Yes the keys will play a vital role in closure. As chris already mentioned they should be same,

Thanks,
Ashutosh

Chris McDevitt · ‎05-06-2021

Hi,

First up, avoid customization to the Scripts Includes like the plague.

Second, keep an eye on the June Store release of VR and upgrade. (but if you customize the VR SI then it is much harder to upgrade....).

Third, take advantage of the "Close Stale Vulnerabilities"

https://docs.servicenow.com/bundle/quebec-security-management/page/product/vulnerability-response/task/vr-autoclosevi.html

And Auto delete rules:

https://docs.servicenow.com/bundle/quebec-security-management/page/product/vulnerability-response/task/enable-auto-del-vi-vg.html

Fourth,

Take a look at the VI's that are not closing. Drill down into the Detections. Are you seeing one Detection closed and another open? (one or more). Add "Detection Key" to the list view on the Detections list (related list). Are the keys different? Take a look at the Proof. Are they different? If the answer is yes, then this is most likely the issue. Again keep an eye on the June Store release.

It is hard to remote diagnose.... so...

AndrewP · ‎05-06-2021

Thanks Chris,

We have set Close Stale Vulnerability/Autoclosure rules based on a 90 day timeframe. We also set Auto delete rules. However these are long time periods and don't seem to fix the source of the problem.

Looking at the VIs not closing, we are indeed seeing one or more open detections followed by a closed detection. The detection keys for all detections are different. The Proofs are all the same however.

I will keep an eye on the June store release, but this is quite urgent for us. Would be open to sharing a Zoom link if that is an option.

Thanks for the help!

tsylte · ‎02-21-2022

🙂 What are we looking for in the June release to help with this?

Chris McDevitt · ‎03-08-2022

They changed the way the detection key is being handled.

https://docs.servicenow.com/bundle/sandiego-security-management/page/product/vulnerability-response/task/vr-configure-vi-key.html